Iranian Hackers Ensnared Targets via Phony Female Photographer

She’s a London-based young professional photographer, an Arsenal FC fan, and she’s interested in learning more about the region where her LinkedIn, Facebook, and Blogger connections live. Her relationship status on Facebook: “It’s complicated.”

Meet “Mia Ash,” a phony but apparently very convincing online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets. The highly detailed and creative social engineering ruse employs “Mia” as the lure in order to ultimately drop information-stealing spy malware onto the victim’s machine.

Researchers at SecureWorks last week at Black Hat USA in Las Vegas published a report on their findings of this attack campaign, which began in January of this year first as a pure phishing campaign that soon evolved with Mia Ash’s phony LinkedIn, Facebook, and blog accounts, to further social-engineer the targets and earn their trust.

The so-called Oil Rig, aka Cobalt Gypsy, hacking team hit petroleum giant Saudi Aramco in 2012 with a massive attack that damaged or wiped the had drives of some 25,000 of the oil company’s computers. The same attackers came back with fresh Shamoon attacks hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.

“This is the most active Iranian group we’re aware of,” says Allison Wikoff, lead researcher on the so-called Mia Ash research by SecureWorks. “We see infrastructure on a weekly basis and new activity all the time” by them, she says.

SecureWorks believes that Mia Ash may be just one of several personas used by the group to gather intel on their targets, mainly energy firms and technology companies in the Middle East. The company has been tracking OilRig/Cobalt Gypsy since 2015, when they first spotted them creating a network of phony LinkedIn profiles.

While the researchers weren’t able to determine the specific information the attackers were going after via the Mia persona attacks, they spotted them attempting to obtain the user’s network credentials.

Once Mia and her connections had established their social media relationship, the attackers sent a phishing email to the target. That included a rigged attachment with enabled Macros to install PupyRAT, which gives an attacker full access to the targeted machine.

Wikoff says her team believes this was just the early stages of the full attack. The first stage is to get the targeted individual’s credentials via PupyRAT, which would give the attackers a foothold in the target’s organization. It’s unclear if Shamoon data-wiping would be next in the attack chain, but it’s a “plausible hypothesis,” she says.

Some of the targets moved their communique with “Mia” to WhatsApp, so it’s unclear what information the victims shared with “Mia” in private, she says.

SecureWorks in its report says one of the victims appears to have even registered a domain for Mia, and Mia reciprocated. They aren’t sure why the domains were registered, but they believe it was either a gesture of trust; or the victim’s information was compromised and used for the domain; or the victim actually works with the attackers. “The domains are parked, no malware on them or services set up,” Wikoff says. “It’s strange, but it gave us a timeline of activity.”

That victim is a cybersecurity expert in a large consulting firm with a background in the oil and gas industry, she says. SecureWorks reached out to the security expert to alert him of the scam, but hasn’t heard back as of this posting, she says.

Remember ‘Robin Sage?’

Mia Ash was reminiscent of the 2010 “Robin Sage” social engineering research project conducted by security expert Thomas Ryan, who presented his findings that year at Black Hat USA. Ryan created an online persona of Robin using a photo of a twenty-something real model and set her up on LinkedIn, Facebook, and Twitter, who purportedly worked for the Naval Network Warfare Command. Robin attracted connections from people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the US Marines, a chief of staff for the US House of Representatives, and several Pentagon and DoD employees. Her profiles also attracted defense contractors the likes of Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton.

Phony personas are really nothing new in the spying world. John Bambenek, threat systems manager at Fidelis Cybersecurity, says phony personas have been around for a long time in espionage circles as well as in cyber espionage. “But it’s not efficient” for the attackers as an MO, he says, nor is it the most sophisticated MO. “But to a certain point, social engineering works,” he says.

“They do bulk collection and then figure out how to target [their marks] from there,” he says.

Iranian nation-state hackers in general are becoming more sophisticated since their early days of defacing websites. “They continue to evolve. They’re not in the top tier in terms of capabilities,” says Dmitri Alperovitch, co-founder and CTO of CrowdStrike.

“We’ve seen several waves of Shamoon. Last fall and winter, they were able to cause quite a bit of damage,” Alperovitch notes.

So far, Iran’s nation-state hacking operations have been more about spying in their Western targets. But Alperovitch notes that indeed could change to more destructive attacks in the future. “There’s no question that there’s a great deal of concern. Tensions over the bill passed on sanctions on Iran [for instance] … cyber is one of the ways they can hit back at us,” he says.

Palo Alto Networks meawhile late last week revealed some new details on OilRig’s activity: they spotted the gang using a new variant of another Iranian threat group’s Trojan – called ISMAgent. ISMAgent is a more “limited but flexible” version of the so-called Greenbug attack group’s Trojan, according to PAN.

“With the inclusion of ISMAgent within the OilRig toolset, we are beginning to see stronger relationships between the various documented groups operating in the Middle East. This region has proven to be a hot bed of espionage motivated activity over the last couple of years, and there appear to be no signs of this changing,” PAN researchers Robert Falcone and Bryan Lee wrote in a blog post.

PAN’s team has not, however, seen the fake social media profiles SecureWorks found, the researchers said in response to a Dark Reading inquiry.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio